URL:

http://elcisneblanco.com/tmp/banking/details/bank.php

Full analysis: https://app.any.run/tasks/955fd2d8-2123-4bcc-91de-08e760e6a545
Verdict: Malicious activity
Analysis date: June 19, 2019, 16:26:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

4DE491700DFB5A30481DC45F7DA6D41D

SHA1:

EAFB56CE1F7C362276609964A8A12E0CE06A4B9A

SHA256:

ACD4B6F116C16E3A6A41933825D694D104F57A55F55BCCC757669734CA0DD18E

SSDEEP:

3:N1KbIbiJiGGIKuMiMJNHtxn:C6iJi3ITMRNr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 4024)
      • wscript.exe (PID: 3964)

    • Writes to a start menu file

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 4024)
      • wscript.exe (PID: 3964)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 4024)

    • Executes scripts

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 3964)

    • Application launched itself

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 3964)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 3772)

    • Creates files in the user directory

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 2956)

    • Application launched itself

      • iexplore.exe (PID: 2956)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3452)

    • Manual execution by user

      • WinRAR.exe (PID: 3180)
      • WScript.exe (PID: 2212)

    • Changes internet zones settings

      • iexplore.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe winrar.exe no specs wscript.exe wscript.exe wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2212"C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\BANK DETAILS CONFIRMATION_PDF\BANK DETAILS CONFIRMATION_PDF - Copy.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2592"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\ljSULvdTZD.js"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2956"C:\Program Files\Internet Explorer\iexplore.exe" http://elcisneblanco.com/tmp/banking/details/bank.phpC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3180"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\BANK DETAILS CONFIRMATION_PDF.zip" "C:\Users\admin\Downloads\BANK DETAILS CONFIRMATION_PDF\"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3452"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3772"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:14337C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3964"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\BANK DETAILS CONFIRMATION_PDF - Copy.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4024"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\ljSULvdTZD.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 906
Read events
1 424
Write events
478
Delete events
4

Modification events

(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{07C899F3-92AF-11E9-B3B3-5254004A04AF}
Value:
0
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E30706000300130010001A002F00A201
Executable files
0
Suspicious files
3
Text files
29
Unknown types
5

Dropped files

PID
Process
Filename
Type
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O2LCSF69\bank[1].htmhtml
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O2LCSF69\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2956iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9619F529FBCAF0B8.TMP
MD5:
SHA256:
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:
SHA256:
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019061920190620\index.datdat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3452
iexplore.exe
GET
200
192.185.26.103:80
http://elcisneblanco.com/tmp/banking/details/bank.php
US
html
222 b
unknown
2956
iexplore.exe
GET
200
192.185.26.103:80
http://elcisneblanco.com/favicon.ico
US
image
3.50 Kb
unknown
3772
iexplore.exe
GET
200
192.185.163.240:80
http://futuroformacion.es//moodle/calendar/amd/BANK%20DETAILS%20CONFIRMATION_PDF.zip
US
compressed
35.0 Kb
unknown
2956
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3452
iexplore.exe
192.185.26.103:80
elcisneblanco.com
CyrusOne LLC
US
unknown
2956
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2956
iexplore.exe
192.185.26.103:80
elcisneblanco.com
CyrusOne LLC
US
unknown
3452
iexplore.exe
192.185.163.240:80
futuroformacion.es
CyrusOne LLC
US
unknown
3772
iexplore.exe
192.185.163.240:80
futuroformacion.es
CyrusOne LLC
US
unknown
3964
wscript.exe
185.247.228.159:1765
www.tcoolsoul.com
malicious

DNS requests

Domain
IP
Reputation
elcisneblanco.com
  • 192.185.26.103
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
futuroformacion.es
  • 192.185.163.240
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
brothersjoy.nl
unknown
www.tcoolsoul.com
  • 185.247.228.159
malicious

Threats

PID
Process
Class
Message
3772
iexplore.exe
Misc activity
ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://elcisneblanco.com/tmp/banking/details/bank.php